Systems and methods for threat analysis of computer data

ABSTRACT

Various embodiments of the present disclosure can include systems, methods, and non-transitory computer readable media configured to aggregate a plurality of threat signatures from a plurality of threat signature data sources. The bit stream data is analyzed, based on the plurality of threat signatures, to detect a first threat in the bit stream data. A result of analyzing the bit stream data is logged as threat analysis log data. The threat analysis log data is analyzed to detect a second threat in the bit stream data. The threat analysis log data may be analyzed based on a heuristic. An action is triggered based on analysis of the bit stream data, or based on heuristic analysis of the threat analysis log data.

FIELD OF THE INVENTION

Inventions disclosed herein relate to data analysis and, moreparticularly, analyzing computer data flowing over a network.

BACKGROUND

Detection of computer security threats is vital to maintaining moderninfrastructure for personal, business, and national security purposes.Generally, computer security threat detection may be implemented on anetwork (e.g., at the perimeter of a private network), at individualclient devices, or both. With respect to a network, threat detection isoften implemented using one or more network firewalls, deep packetinspection (DPI) appliances, and intrusion detection systems (IDSs), andthe like. Unfortunately, traditional implementations of network threatdetection usually lack network throughput speed, require manualconfiguration maintenance (e.g., blacklist IP lists), utilize threatsignatures from a single source, or provide a very discrete threatdetection solution (e.g., solution unique to a particular vendor) thatis fragmented with respect to other threat detection solutions. In viewof this, various government entities (e.g., U.S. Federal Government),infrastructure entities (e.g., utility companies), and commercialentities can benefit from a threat detection that is in-line, and morerobust and real time than those traditionally utilized.

SUMMARY

Various embodiments of the present disclosure can include systems,methods, and non-transitory computer readable media configured toaggregate a plurality of threat signatures from a plurality of threatsignature data sources. The bit stream data is analyzed, based on theplurality of threat signatures, to detect a first threat in the bitstream data. A result of analyzing the bit stream data is logged asthreat analysis log data. The threat analysis log (or stream) data isanalyzed to detect a second threat in the bit stream data. The threatanalysis log (or stream) data may be analyzed based on a heuristic. Anaction is triggered based on analysis of the bit stream data, or basedon heuristic analysis of the threat analysis log data.

In an embodiment, the bit stream data is received over a networkconnection from a network device.

In an embodiment, the analyzing the threat analysis stream or log datais based on at least one heuristic and typically a multitude ofheuristics.

In an embodiment, the analyses of bit stream data based on the pluralityof threat signatures and of threat analysis log (or stream) data basedon heuristics can be performed in parallel or in sequence. The analysescan be included in a chain of independent or cooperative analyses, wherethe output of one analysis can be shared with the other analyses toimprove specificity and security.

In an embodiment, a user is notified regarding the first threat or thesecond threat when identified.

In an embodiment, the first threat and the second threat are similar.

In an embodiment, the bit stream data is outputted in response to thefirst threat and the second threat not being detected in the bit streamdata.

In an embodiment, the action comprises configuring a network device toaddress the first threat in response to the first threat being detectedin the bit stream data, or configuring the network device to address thesecond threat in response to the second threat being detected in the bitstream data. The network device may be configured by configuring anetwork traffic aggregation system, where the network trafficaggregation system configures the network device. Depending on theembodiment, the network device may be an edge network device or aninternal network device.

In an embodiment, the analyzing the bit stream data based on theplurality of threat signatures comprises performing deep packetinspection based on the plurality of threat signatures

In an embodiment, the analyzing the bit stream data is performed by bitstream vector processing, or the analyzing the threat analysis log datais performed by bit stream vector processing.

In an embodiment, the (triggered) action comprises at least one ofdropping a packet in the bit stream data, routing the packet to a filterfor deeper packet inspection, tagging the packet with a meta riskindicator or a meta risk score, rerouting the packet to its destination,or rerouting the packet to a sandbox for quarantine.

In an embodiment, the triggering the action is performed by bit streamvector processing by a combination of parallel and/or sequential set ofworkers that are dynamically assigned.

In an embodiment, at least one threat signature data source in theplurality of threat signature data sources is commercial, proprietary,or open source.

In an embodiment, the plurality of threat signature data sourcesincludes independent organizations.

In an embodiment, the threat analysis log data includes log dataproduced by an external deep packet inspection system. The external deeppacket inspection system may perform deep packet inspection on the bitstream data before the analyzing the bit stream data based on theplurality of threat signatures, or before the analyzing the threatanalysis log data.

Many other features and embodiments of the invention will be apparentfrom the accompanying drawings and from the following detaileddescription.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates an example environment for a threat analysis system,according to an embodiment of the present disclosure.

FIG. 2 illustrates an example threat analysis system, according to anembodiment of the present disclosure.

FIG. 3 illustrates an example threat analysis system in an exampleenvironment, according to an embodiment of the present disclosure.

FIG. 4 illustrates an example threat analysis system in an exampleenvironment, according to an embodiment of the present disclosure.

FIG. 5 illustrates an example process for analyzing threats, accordingto an embodiment of the present disclosure.

FIG. 6 illustrates an example of a computer system that can be utilizedin various scenarios, according to an embodiment of the presentdisclosure.

The figures depict various embodiments of the disclosed technology forpurposes of illustration only, wherein the figures use like referencenumerals to identify like elements. One skilled in the art will readilyrecognize from the following discussion that alternative embodiments ofthe structures and methods illustrated in the figures can be employedwithout departing from the principles of the disclosed technologydescribed herein.

DETAILED DESCRIPTION

Various systems and methods described herein analyze for computersecurity threats (herein, also referred to as “threats”) in computerdata and more particularly provide a signature-oriented andheuristic-oriented protection against threats in computer data. For someembodiments, the systems and methods described herein may comprisesignature-based and heuristic-based analyses to attempt to detectthreats in a stream of data, such as a bit stream of data (bit streamdata). For example, systems and methods described herein may implementreal-time, in-line cyber protection to network users. The protection maycomprise a signature-based analysis based on threat signaturesaggregated (e.g., in real-time) from multiple threat feeds, and mayfurther comprise a (set of) heuristic-based analysis of threat analysislog or stream data produced from signature-based analyses (e.g., thosebased on the aggregated threat signatures and others). In this way,systems and methods described herein may perform in-line threat analysis(e.g., in-line with a network pipeline) and may perform such analysis atwire speed. For instance, systems and methods described herein mayhandle analysis of data communicated over a network (e.g., deep packetinspection), at carrier grade network speeds (e.g., 10 Gbps and higher),with low latency, and at or near real-time. Depending on the embodiment,the systems and methods described herein may be implemented as a Systemas a Service. The systems and methods described herein may beimplemented on a private network, such as a corporate network, and maybe implemented at a network perimeter (e.g., edge of private network).Accordingly, threat detection in accordance with the systems and methodsdescribed herein may provide a multitude of in-line evaluators tointroduce a variety of threat signatures/patterns from various sources,perform heuristic analytics against a variety of threat indicators,determine a protective action, and trigger a response in a moreeffective manner than conventional systems that tend to act singularlyand non-cooperatively.

According to some embodiments, signatures that facilitate identificationof computer security threats in computer data are aggregated (e.g.,ingested) from two or more threat signature sources (e.g., computersecurity vendors), which may be organizations that are separate andindependent from one another. Threat signature sources may beproprietary (e.g., signatures derived from CSC Data Center operations orCyber-Security activities), open source (e.g., Team Cymru or SANSInstitute), or commercial (e.g., McAfee® or Symantec®) in nature, andmay provide or make their set of threat signatures available throughdifferent means. For example, a particular threat signature source mayprovide their set of threat signatures through a threat data feed or asa downloadable data file. Threat data feeds also can include, forexample, commercial whitelist or blacklist global threat data feeds.Threat data feeds from these sources can be deployed to examine thein-line data stream using open source tools, like Snort or Suricata, toparse log data, and act upon threat data. Additionally other open sourcetools can be used to support the action of the packet inspection and theactions of the systems and methods described herein, such as Red HatLinux, Barnyard, Bro, and SiLK, among others.

Some threat signature sources exclusively provide their proprietary setof threat signatures to only one or more threat analysis softwareapplications or systems, such as their own computer security products.For such threat signature sources, the proprietary set of threatsignatures may be aggregated by way of one or more of the threatanalysis software applications or systems exclusively using theproprietary set of threat signatures. For example, a system or methodmay aggregate the propriety set of threat signatures by analyzing (e.g.,scraping) the log data generated by the threat analysis softwareapplications or systems that are exclusively using the proprietary setof threat signatures.

Computer data, such as bit stream data, can be analyzed using signaturematching based on the aggregated threat signatures obtained from theplurality of threat signature sources. Sets of threat signatures fromdifferent threat signature sources can differ in the number threatsignatures, the threats covered, and the threat signatures available fora given threat. In view of this, using the set of aggregated threatsignatures to detect threats in computer data can increase thelikelihood of detecting a threat over only using a single set of threatsignatures from one threat signature source to detect threats.Additionally, using a set of aggregated threat signatures to detectthreats at the edge of a network can reduce the number of threatanalysis software applications and systems that need to be utilized fora computer security implementation within that network. This signatureaggregation can maintain a high throughput speed when analyzing computerdata in-line (e.g., in-line threat detection between an internal andexternal network) using advanced high data throughput programmableappliances.

According to some embodiments, the signature-based analysis for threatscan be augmented by a heuristic-based analysis of log data to detectthreats, some of which may have not been detected during thesignature-based analysis. In this way, the heuristic-based analysis canreduce the number of threat false positives that may otherwise resultfrom using one or more signature-based threat analyses alone. The logdata analyzed may include log data produced by the signature-basedthreat analysis based on the aggregated threat signatures, and log dataproduced by a third-party signature oriented threat analysis (e.g., oneperformed by a commercial deep packet inspection appliance, such asMcAfee M-8000 or HP TippingPoint). The heuristic-based analysis maydetect threats using heuristics similar to those utilized by someintrusion detection systems, and may involve interpolating threatanalysis log data to detect threats. For some embodiments, theheuristic-based analysis may comprise using positive or negativecorrelation and learning correlation cluster behaviors over time. Insome embodiments, threats detected by signature-based threat analysismay be similar to, identical with, or different from threated detectedby heuristic-based threat analysis.

Based on a threat being detected by the signature-based analysis, theheuristic-based analysis, or both, an action may be triggered to addressthe detected threat. Additionally, based on a threat being detected bythe signature-based analysis, the heuristic-based analysis, or both,in-line active defenses can be performed or a notification may be sentto one or more users or automated systems concerned about such threats(e.g., a network security operations engineer or a tuned router ornetwork appliances spread across a local or wide area network).Depending on the embodiment, the action triggered may include droppingone or more network packets relating to the threat, routing the networkpackets to a filter for deeper packet inspection, tagging the networkpackets with a meta risk indicator or a meta risk score, rerouting thenetwork packets to their destination, or rerouting the network packetsto a sandbox for quarantine (e.g., for later analysis). The actiontriggered may also include dynamic routing of network packets, which mayinvolve configuring or reconfiguring a router (e.g., a downstreamrouter), or configuring or reconfiguring a software defined network(SDN) or a network router included in the SDN.

For some embodiments, notifications regarding threats may beautomatically sent to a user through electronic message (e.g., e-mail ortext message) or by way of an action system, such as a securityinformation and event management system (SIEM) (e.g., HP ArcSight®). Invarious embodiments, a security issue detected by an action system(e.g., based on threat analysis log data) can trigger an action toaddress the security issue detected.

In some embodiments, systems and methods are implemented usingvectorized comparators, which may be organized in either a multipleinstruction multiple data (MIMD), or a Multiple Instruction Single Data(MISD) orientation that enables in-line analysis of network packets. Forheuristic-based analysis, network packets may be tagged with a uniqueidentifier and processed according to a heuristically arranged set ofoperations (e.g., sequential or parallel), which may enable risk-baseddecisions on threat detection.

The figures described herein depict various embodiments of the presentinvention for purposes of illustration only. Alternative embodiments ofthe structures and methods illustrated in the figures may be employedwithout departing from the principles of the invention described herein.

FIG. 1 illustrates an example environment 100 for a threat analysissystem, according to an embodiment of the present disclosure. As shown,the example environment 100 includes one or more threat signaturesources 102, an external network 104, an edge network device 106, athreat analysis system 108, and an internal network 110. It will beunderstood that for some embodiments the components or the arrangementof components in the example environment 100 may differ from what isdepicted in FIG. 1.

In accordance with some embodiments, the external network 104 or theinternal network 110 may be implemented using one or more local orwide-area communications networks, such as the Internet, WiFi networks,WiMax networks, private networks, public networks, and the like.Depending on the embodiment, some or all of the communicationconnections with the external network 104 or the internal network 110may utilize encryption (e.g., Secure Sockets Layer [SSL]) to secureinformation being transferred between the various entities shown in theexample environment 100.

For some embodiments, the threat analysis system 108 may communicatedata with one or more of the threat signature sources 102 over anetwork, which may include the external network 104 or the internalnetwork 110 of the example environment 100. The threat analysis system108 may communicate with the external network 104 through the edgenetwork device 106, which may represent network perimeter for theinternal network 110. The internal network 110 may be a private networkand may be associated with an organization, such as a corporation (e.g.,private corporate network). The external network 104 may be a publicnetwork, such as the Internet. Data communicated between a networkdevice on the external network 104 and a network device on the internalnetwork 110 may be transmitted through the edge network device 106 andthe threat analysis system 108 before reaching its destination. It willbe understood that in some embodiments additional or different networkedsystems and devices may exist on the network communication path betweenthe threat analysis system 108 and the external network 104, and on thenetwork communication path between the threat analysis system 108 andthe internal network 110, including additional threat analysis systems(e.g., deep packet inspection application by a third party).

One or more of the threat signature sources 102, the edge network device106, and the threat analysis system 108 may be implemented by, orutilize, one or more modules as described herein. For instance, one ormore of the threat signature sources 102, the edge network device 106,and the threat analysis system 108 may be implemented using a computersystem similar to the one discussed later with respect to FIG. 6.

As used herein, computing devices may include a mobile phone, a tabletcomputing device, a laptop, a desktop computer, personal digitalassistant, a portable gaming unit, a wired gaming unit, a thin client, aset-top box, a portable multi-media player, or any other type oftouch-enabled computing device known to those of skill in the art.Further, the threat analysis system 108 may comprise one or moreservers, which may be operating on or implemented using one or morecloud-based resources (e.g., System-as-a-Service [SaaS],Platform-as-a-Service [PaaS], or Infrastructure-as-a-Service [IaaS]).

The threat analysis system 108 may be configured to aggregate threatsignatures from two or more of the threat signature sources 102. Asdescribed herein, the threat signature sources 102 may representmultiple threat feeds, provided by separate and independent threatsignature sources. One or more of the threat signature sources 102 maybe proprietary (e.g., HP TippingPoint DVLab data or McAfee® GlobalThreat data), open source (e.g., Team Cymru or SANS Institute), orcommercial (e.g., Computer Sciences Corp, McAfee® or Symantec®) innature. During the aggregation, the threat analysis system 108 may parsethe threat signatures being aggregated and may locally store theaggregated threat signatures. By parsing and locally storing theaggregated threat signatures, the threat analysis system 108 may providea merged set of threat signatures for subsequent use by signature-basedthreat analysis processes.

The threat analysis system 108 may be configured to receive network databeing communicated from the external network 104 to the internal network110 through the edge network device 106, or vice versa. The network datareceived may comprise one or more network packets that may analyzed forthreats as the network data passes through the threat analysis system108. By doing so, the threat analysis system 108 can permit legitimatenetwork traffic to be communicated between the external network 104 andthe internal network 110, can detect threats contained in the networktraffic based on signature-based or heuristic-based analysis, and canprotect against (e.g., block) threats detected in the network traffic bytriggering one or more actions. Depending on the embodiment, the threatanalysis system 108 may analyze network data as a bit stream of data.

The threat analysis system 108 may be configured to detect threats inthe network traffic by first performing a signature-based threatanalysis of the network traffic using the threat signatures aggregatedfrom two or more of the threat signature sources 102. During thesignature-based threat analysis, the threat analysis system 108 maymatch the data in the network traffic against the aggregated threatsignatures to detect known threats. Depending on the embodiment, thethreat analysis system 108 may utilize suitable deep packet inspectionprocesses, such as those provided by Snort and similar softwareapplications, to perform the signature-based threat analysis.

Any results produced by the signature-based analysis may be logged asthreat analysis log data, which may be subsequently used during theheuristic-based threat analysis. The threat analysis log data may alsocontain results produced by one or more third-party threat analysissystems (e.g., deep packet inspection appliance). Depending on theembodiment, third-party threat analysis systems may be analyzing thenetwork traffic prior to, in parallel with, or subsequent to thesignature-based threat analysis being performed by the threat analysissystem 108. For some embodiments, third-party threat analysis systemsanalyze the network traffic prior to the threat analysis system 108performing the heuristic-based threat analysis.

The threat analysis system 108 may be configured to performheuristic-based threat analysis of the network traffic by analyzing thethreat analysis log data, which may be generated during thesignature-based threat analysis, and which may further be generated byone or more third-party threat analysis systems (e.g., such as oneprovided by McAfee®). The heuristic-based threat analysis mayinterpolate the threat analysis log data to detect threats.Additionally, heuristic-based threat analysis may detect threats byusing positive or negative correlation and learning correlation clusterbehavior over time. For example, the heuristic-based threat analysis mayobserve suspicious data patterns in the threat analysis log data,historical threat analysis log data, or by comparing threat analysis logdata. In some embodiments, threats detected by signature-based threatanalysis may be similar to, identical with, or different from threateddetected by heuristic-based threat analysis.

For some embodiments, the heuristic-based threat analysis may bereplaced by, or augmented with, a non-heuristic threat analysis processthat analyzes the threat analysis log data to detect threats in computerdata.

The threat analysis system 108 may be configured to trigger one or moreactions based on the results of the signature-based threat analysis orthe heuristic-based threat analysis. As described herein, the actionstriggered by the threat analysis system 108 can address one or morethreats detected by the signature-based threat analysis or theheuristic-based threat analysis. The action may be one that configuresor reconfigures the threat analysis system 108, or that configures orreconfigures a system or device external to the threat analysis system108. Examples of triggered action include, without limitation, droppinga network packet in the network traffic that contains some or all of adetect threat, routing the network packet to a filter for deeper packetinspection, tagging the network packet with a meta risk indicator or ameta risk score, rerouting the network packet to its networkdestination, or rerouting the network packet to a sandbox for quarantine(e.g., honeypot). An action may involve configuring a network device,such as a router, switch, or network traffic aggregation system, and thelike, to address a detected threat or protect against future threats.With respect to the example environment 100, the threat analysis system108 may respond to a threat detected in the network traffic byconfiguring or reconfiguring the edge network device 106 (e.g., edgerouter) or a network device coupled on the internal network 110. Forsome embodiments, the threat analysis system 108 may trigger an actionbased on network security issue detected by a SIEM. By triggering one ormore actions, the threat analysis system 108 can tune the edge networkdevice 106, the internal network 110, or related components to counter athreat.

In some embodiments, the threat analysis system 108 sends a notificationto one or more individuals upon detection of one or more threats, upondetection of particular threats, or upon detection of particular typesof threats. Depending on the embodiment, the notification may be anelectronic message, such as an e-mail, text message, or otheropen/proprietary machine readable formats, transmitted by the threatanalysis system 108, or by way of an action system, such as a SIEM.Where no threats are detected by either the signature-based threatanalysis or the heuristic-based threat analysis, the threat analysissystem 108 may allow the network traffic to pass through threat analysissystem 108 without intervention.

FIG. 2 illustrates the threat analysis system 108, according to anembodiment of the present disclosure. As shown, the threat analysissystem 108 may comprise a bit stream input module 200, a threatsignature aggregation module 202, a signature-based threat analysismodule 204, a heuristic threat analysis module 206, a trigger module208, a process control module 210, a bit stream output module 212, athreat signature datastore 222, and a threat analysis log datastore 224.In accordance with some embodiments, the threat analysis system 108 maybe configured to perform various aggregation, analysis, identification,logging, triggering, and process control operations described herein.

The bit stream input module 200 may be configured to receive networkdata being communicated from a network source to a network destinationthrough the threat analysis system 108. The threat signature aggregationmodule 202 may be configured to aggregate threat signatures from two ormore of the threat signature sources, and may be further configured tostore the aggregated threat signature locally on the threat signaturedatastore 222. The signature-based threat analysis module 204 may beconfigured to perform a signature-based threat analysis of the networktraffic using the threat signatures aggregated by the threat signatureaggregation module 202 from two or more of the threat signaturessources. The heuristic threat analysis module 206 may be configured toperform heuristic-based threat analysis of the network traffic byanalyzing the threat analysis log data generated during thesignature-based threat analysis performed by the signature-based threatanalysis module 204, or generated during threat analysis performed byanother (e.g., third-party) threat analysis systems (e.g., such as oneprovided by McAfee®). The trigger module 208 may be configured totrigger one or more actions based on the results of the signature-basedthreat analysis or the heuristic-based threat analysis.

The process control module 210 may be configured to control the bitstream vector processing of network data as the signature-based threatanalysis is performed on the network data by the signature-based threatanalysis module 204. The process control module 210 may be alsoconfigured to control the bit stream vector processing of network dataas the heuristic-based threat analysis is performed on the network databy the heuristic threat analysis module 206. The process control module210 may be further configured to control the bit stream vectorprocessing of network data as trigger actions are performed with respectto the network data by the trigger module 208. The bit stream outputmodule 212 may be configured to permit the network data to pass throughthe threat analysis system 108, undeterred, when no threats are detectedby either the signature-based threat analysis or the heuristic-basedthreat analysis.

The threat signature datastore 222 may be configured to implement orfacilitate data storage with respect to various components of the threatanalysis system 108, including storage of threat signature aggregatedfrom two or more threat signature sources. Depending on the embodiment,the threat signature datastore 222 may be implemented by a database orthe like.

The threat analysis log datastore 224 may be configured to implement orfacilitate data storage with respect to various components of the threatanalysis system 108, including storage of threat analysis log datagenerated during threat analysis performed by the signature-based threatanalysis module 204 or the heuristic threat analysis module 206. Forsome embodiments, the threat analysis log datastore 224 may also includethreat analysis log data generated by third-party threat analysissystems or devices, which may be external to the threat analysis system108. Depending on the embodiment, the threat analysis log datastore 224may be implemented by a database or the like.

FIG. 3 illustrates an example threat analysis system 308 b in an exampleenvironment 300, according to an embodiment of the present disclosure.As shown, the example environment 300 includes a plurality of threatsignature sources 302, a perimeter edge router 304, a commercial packetinspection appliance 306, a programmable deep packet inspectionappliance 308 a including the example threat analysis system 308 b, aninternal network 310, a network device 312, a traffic aggregation system314, and an action system 332. As also shown, the threat analysis system308 b may include a packet inspection system 316, a signature matchingsystem 318, an analytics system 320, and a trigger system 322.

In some embodiments, the perimeter edge router 304 receives bit streamdata from a public network, such as the Internet, the perimeter edgerouter 304 routes the received bit stream data to the commercial packetinspection appliance 306, and the commercial packet inspection appliance306 routes the bit stream data to the programmable deep packetinspection appliance 308 a. The threat analysis system 308 b, includedby and implemented on the programmable deep packet inspection appliance308 a, may use the packet inspection system 316 to analyze (e.g.,inspect) one or more packets included in the bit stream data.

The packet inspection system 316 may analyze the one or more packets forthreats based on threat signatures aggregated by the programmable deeppacket inspection appliance 308 a. For some embodiments, theprogrammable deep packet inspection appliance 308 a aggregates thethreat signatures from two or more of the threat signature sources 302,merges the aggregated threat signatures into merged threat data, andthen provides the merged threat data to the signature matching system318. The packet inspection system 316 may utilize the signature matchingsystem 318 to facilitate matching data in a packet of the bit streamdata with threat signatures contained in the merged threat data.

The packet inspection system 316 may also analyze the one or morepackets for threats based on threat analysis log data provided by thecommercial packet inspection appliance 306. In this way, the packetinspection system 316 can analyze the one or more packets based onproprietary threat signatures that are otherwise not available fordirect aggregation (e.g., threat signatures produced for exclusive useby certain commercial packet inspection appliances). Depending on theembodiment, the packet inspection system 316 may be implemented using anopen source software application for packet inspection. The packetinspection system 316 may be implemented using one or more conventionalprogrammable appliances, including but not limited to Bivio 7000® or8000i® platform by Bivio Networks®.

Where the packet inspection system 316 does not detect a match betweendata in a packet of the bit stream data and at least one of the threatsignatures in the merged threat data, the threat analysis system 308 bmay send the packet to its destination at step 324 and the log eventprocess can log the no-signature-match result using a log event process326. Where the packet inspection system 316 detects a match between datain a packet of the bit stream data and at least one of the threatsignatures in the merged threat data, a log event process 326 can logthe signature match result. Subsequently, the log event process 326 canprovide the log data to the action system 332, such as a SIEM, which mayanalyze the log data and take action accordingly. For example, afteranalyzing the log data, the action system 332 may notify a securityoperations officer, or automatically notify another system using machinereadable electronic formats, that the log data indicates the detectionof a threat in the bit stream data. In another instance, after analyzingthe log data, the action system 332 may detect a security issue that mayhave not been detected by the packet inspection system 316 and inresponse the action system 332 may cause a trigger action process 330 totrigger an action.

During an interpolation process 328, the analytics system 320 may use aheuristic analytics engine, or a comparative analytics engine, toanalyze the log data produced by the log event process 326 to detectthreats in the bit stream data. The analytics system 320 may furtherdetermine correlations based on the log data analyzed and learncorrelation behavior over time. During the trigger action process, thetrigger system 322 can trigger an action to address (e.g., protectagainst) a threat detected by the packet inspection system 316 or theanalytics system 320. The particular action triggered by the triggersystem 322 may be determined based on the results of the signature-basedthreat analysis performed by the packet inspection system 316 or theresults of the heuristic-based threat analysis performed by theanalytics system 320.

Additionally, depending on the results of the signature-based threatanalysis performed by the packet inspection system 316 or the results ofthe heuristic-based threat analysis performed by the analytics system320, the action may be triggered with respect to the internal network310 or the traffic aggregation system 314. The internal network 310 maybe used by one or more network devices 312 (e.g., switch, router,server, client device) to communicate with the public network (e.g., theInternet). The internal network 310 may comprise a physical network or avirtual network (e.g., SDN), and the trigger may reconfigure componentsof the physical or the virtual network included in the internal network310, such as physical or virtual routers. The traffic aggregation system314 may control the configuration of the perimeter edge router 304,which controls egress and ingress of bit stream data through theperimeter of an internal network.

FIG. 4 illustrates an example threat analysis system 402 in an exampleenvironment 400, according to an embodiment of the present disclosure.As shown, the example environment 400 includes the plurality of threatsignature sources 302, the programmable deep packet inspection appliance308 a including the example threat analysis system 402, and the actionsystem 332. As also shown, the threat analysis system 402 may include abit stream vector processing control 404, an application processingcontrol 406, the signature matching system 318, one or more processors408, the packet inspection system 316, the analytics system 320, thetrigger system 322.

In some embodiments, one or more processors in the set of processors 408processes (e.g., analyze) bit stream data in accordance with thecomponents of the threat analysis system 402. Additionally, the one ormore of the processors 408 may process the bit stream data using bitstream vector processing. For some embodiments, the bit stream vectorprocessing control 404 provides dynamic execution pathway control of oneor more of the processors 408 as those processors operate on bit streamdata using bit stream vector processing. For example, the bit streamvector processing control 404 may permit the threat analysis system 402to perform signature-based analysis on bit stream data using sequentialor differential bit stream vector processing on one or more of theprocessors 408.

Additionally, the bit stream vector processing control 404, incombination with the application processing control 406, may permit thethreat analysis system 402 to dedicate a specific subset of theprocessors 408 for bit stream vector processing of certain bit streamdata, or dedicate a specific subset of the processors 408 for performingparticular processes of the threat analysis system 402. For instance,through the bit stream vector processing control 404, the threatanalysis system 402 can dedicate a first subset of the processors 408for performing signature-based threat analysis of bit stream data, anddedicate a second subset of the processors 408 for performingheuristic-based threat analysis of bit stream data. The level ofprocessing control provided by the bit stream vector processing control404 can ensure that programmable deep packet inspection appliance 308 a,and the threat analysis system 402 in particular, can analyze bit streamdata at or near wire speed.

FIG. 5 illustrates an example process 500 for analyzing threats,according to an embodiment of the present disclosure. In someembodiments, the threat analysis process 500 may be performed in wholeor in part by the threat analysis system 108 described herein. For someembodiments, the process for analyzing data flows may perform more orless operations than what is illustrated in FIG. 5, and may perform theoperations illustrated in FIG. 5 in an order different than the ordershown.

At block 502, bit stream data is received. Depending on the embodiment,the bit stream data may be received from a network device, or some othersource of bit stream data. The bit stream data may be received by athreat analysis system described herein, such as the threat analysissystem 108. The bit stream data may comprise one or more data segments(e.g., network frames or network packets), which may be transmitted froma data source (e.g., source network device) and addressed to a data sink(e.g., destination network device). At block 504, a plurality of threatsignatures from a plurality of threat signature sources is aggregated.At block(s) 506, the bit stream data received at block 502 is analyzedfor threats based on the plurality of threat signatures aggregated atblock 504, and optionally in parallel across differential algorithmsets. At block 508, a result of analyzing the bit stream data, at block506, is logged as threat analysis log data. At block 510, the threatanalysis log data is heuristically analyzed for threats in the bitstream data. At block 512, an action is triggered based on analysis ofthe bit stream data at block 506, or based on heuristic analysis of thethreat analysis log data at block 510. At block 514, a user is notifiedregarding one or more threats identified by analysis of the bit streamdata at block 506, or identified by heuristic analysis of the threatanalysis log data at block 510.

Where components or modules of the invention are implemented in whole orin part using software, in one embodiment, these software elements canbe implemented to operate with a computing or processing module capableof carrying out the functionality described with respect thereto. Onesuch example computing module is shown in FIG. 6. Various embodimentsare described in terms of this example-computing module 600. Afterreading this description, it will become apparent to a person skilled inthe relevant art how to implement the invention using other computingmodules or architectures.

Referring now to FIG. 6, computing module 600 may represent, forexample, computing or processing capabilities found within desktop,laptop and notebook computers; hand-held computing devices (PDA's, smartphones, cell phones, palmtops, tablets, etc.); mainframes,supercomputers, workstations or servers; or any other type ofspecial-purpose or general-purpose computing devices as may be desirableor appropriate for a given application or environment. Computing module600 might also represent computing capabilities embedded within orotherwise available to a given device. For example, a computing modulemight be found in other electronic devices such as, for example, digitalcameras, navigation systems, cellular telephones, portable computingdevices, modems, routers, WAPs, terminals and other electronic devicesthat might include some form of processing capability.

In some embodiments, some or all the elements of FIG. 6 may be emulatedvia “virtualization software,” such as VMWare®, and others. Accordingly,various embodiments may utilize virtualization software that provides anexecution environment using emulated hardware, such as a “virtualmachine”. The virtualized software may be implemented, and provided, ascloud-based services, such as Amazon Web Services Elastic Compute Cloud.

Computing module 600 might include, for example, one or more processors,controllers, control modules, or other processing devices, such as aprocessor 604. Processor 604 might be implemented using ageneral-purpose or special-purpose processing engine such as, forexample, a microprocessor, controller, or other control logic. In theillustrated example, processor 604 is connected to a bus 602, althoughany communication medium can be used to facilitate interaction withother components of computing module 600 or to communicate externally.

Computing module 600 might also include one or more memory modules,simply referred to herein as main memory 608. For example, preferablyrandom access memory (RAM) or other dynamic memory, might be used forstoring information and instructions to be executed by processor 604.Main memory 608 might also be used for storing temporary variables orother intermediate information during execution of instructions to beexecuted by processor 604. Computing module 600 might likewise include aread only memory (“ROM”) or other static storage device coupled to bus602 for storing static information and instructions for processor 604.

The computing module 600 might also include one or more various forms ofinformation storage mechanism 610, which might include, for example, amedia drive 612 and a storage unit interface 620. The media drive 612might include a drive or other mechanism to support fixed or removablestorage media 614. For example, a hard disk drive, a floppy disk drive,a magnetic tape drive, an optical disk drive, a CD or DVD drive (R orRW), or other removable or fixed media drive might be provided.Accordingly, storage media 614 might include, for example, a hard disk,a floppy disk, magnetic tape, cartridge, optical disk, a CD or DVD, orother fixed or removable medium that is read by, written to or accessedby media drive 612. As these examples illustrate, the storage media 614can include a computer usable storage medium having stored thereincomputer software or data.

In alternative embodiments, information storage mechanism 610 mightinclude other similar instrumentalities for allowing computer programsor other instructions or data to be loaded into computing module 600.Such instrumentalities might include, for example, a fixed or removablestorage unit 622 and an interface 620. Examples of such storage units622 and interfaces 620 can include a program cartridge and cartridgeinterface, a removable memory (for example, a flash memory or otherremovable memory module) and memory slot, a PCMCIA slot and card, andother fixed or removable storage units 622 and interfaces 620 that allowsoftware and data to be transferred from the storage unit 622 tocomputing module 600.

Computing module 600 might also include a communications interface 624.Communications interface 624 might be used to allow software and data tobe transferred between computing module 600 and external devices.Examples of communications interface 624 might include a modem orsoftmodem, a network interface (such as an Ethernet, network interfacecard, WiMedia, IEEE 802.XX or other interface), a communications port(such as for example, a USB port, IR port, RS232 port, Bluetooth®interface, or other port), or other communications interface. Softwareand data transferred via communications interface 624 might typically becarried on signals, which can be electronic, electromagnetic (whichincludes optical) or other signals capable of being exchanged by a givencommunications interface 624. These signals might be provided tocommunications interface 624 via a channel 628. This channel 628 mightcarry signals and might be implemented using a wired or wirelesscommunication medium. Some examples of a channel might include a phoneline, a cellular link, an RF link, an optical link, a network interface,a local or wide area network, and other wired or wireless communicationschannels.

In this document, the terms “computer program medium” and “computerusable medium” are used to generally refer to media such as, forexample, memory 608, storage unit 620, media 614, and channel 628. Theseand other various forms of computer program media or computer usablemedia may be involved in carrying one or more sequences of one or moreinstructions to a processing device for execution. Such instructionsembodied on the medium, are generally referred to as “computer programcode” or a “computer program product” (which may be grouped in the formof computer programs or other groupings). When executed, suchinstructions might enable the computing module 600 to perform featuresor functions of the disclosed invention as discussed herein.

While various embodiments of the disclosed invention have been describedabove, it should be understood that they have been presented by way ofexample only, and not of limitation. Likewise, the various diagrams maydepict an example architectural or other configuration for the disclosedinvention, which is done to aid in understanding the features andfunctionality that can be included in the disclosed invention. Thedisclosed invention is not restricted to the illustrated examplearchitectures or configurations, but the desired features can beimplemented using a variety of alternative architectures andconfigurations. Indeed, it will be apparent to one of skill in the arthow alternative functional, logical or physical partitioning andconfigurations can be implemented to implement the desired features ofthe invention disclosed herein. Also, a multitude of differentconstituent module names other than those depicted herein can be appliedto the various partitions. Additionally, with regard to flow diagrams,operational descriptions and method claims, the order in which the stepsare presented herein shall not mandate that various embodiments beimplemented to perform the recited functionality in the same orderunless the context dictates otherwise.

Although the disclosed invention is described above in terms of variousexemplary embodiments and implementations, it should be understood thatthe various features, aspects and functionality described in one or moreof the individual embodiments are not limited in their applicability tothe particular embodiment with which they are described, but instead canbe applied, alone or in various combinations, to one or more of theother embodiments of the disclosed invention, whether or not suchembodiments are described and whether or not such features are presentedas being a part of a described embodiment. Thus, the breadth and scopeof the invention disclosed herein should not be limited by any of theabove-described exemplary embodiments.

Reference in this specification to “one embodiment”, “an embodiment”,“other embodiments”, “one series of embodiments”, “some embodiments”,“various embodiments”, “instance”, “instances”, “for example”,“examples”, or the like means that a particular feature, design,structure, or characteristic described in connection with theembodiment, instance, or example is included in at least one embodiment,instance, or example of the disclosure. The appearances of these termsin various places in the specification are not necessarily all referringto the same embodiment, instance, or example, nor are separate oralternative embodiments, instances, or examples mutually exclusive ofother embodiments, instances, or examples. Moreover, whether or notthere is express reference to an “embodiment” or the like, variousfeatures are described, which may be variously combined and included insome embodiments, instances, or examples, but also variously omitted inother embodiments, instances, or examples. Similarly, various featuresare described that may be preferences or requirements for someembodiments, instances, or embodiments, but not other embodiments,instances, or examples.

Terms and phrases used in this document, and variations thereof, unlessotherwise expressly stated, should be construed as open ended as opposedto limiting. As examples of the foregoing: the term “including” shouldbe read as meaning “including, without limitation” or the like; the term“example” is used to provide exemplary instances of the item indiscussion, not an exhaustive or limiting list thereof; the terms “a” or“an” should be read as meaning “at least one,” “one or more” or thelike; and adjectives such as “conventional,” “traditional,” “normal,”“standard,” “known” and terms of similar meaning should not be construedas limiting the item described to a given time period or to an itemavailable as of a given time, but instead should be read to encompassconventional, traditional, normal, or standard technologies that may beavailable or known now or at any time in the future. Likewise, wherethis document refers to technologies that would be apparent or known toone of ordinary skill in the art, such technologies encompass thoseapparent or known to the skilled artisan now or at any time in thefuture.

The presence of broadening words and phrases such as “one or more,” “atleast,” “but not limited to” or other like phrases in some instancesshall not be read to mean that the narrower case is intended or requiredin instances where such broadening phrases may be absent. The use of theterm “module” does not imply that the components or functionalitydescribed or claimed as part of the module are all configured in acommon package. Indeed, any or all of the various components of amodule, whether control logic or other components, can be combined in asingle package or separately maintained and can further be distributedin multiple groupings or packages or across multiple locations.

Additionally, the various embodiments set forth herein are described interms of exemplary block diagrams, flow charts and other illustrations.As will become apparent to one of ordinary skill in the art afterreading this document, the illustrated embodiments and their variousalternatives can be implemented without confinement to the illustratedexamples. For example, block diagrams and their accompanying descriptionshould not be construed as mandating a particular architecture orconfiguration.

What is claimed:
 1. A computer implemented method comprising:aggregating, by a computer system, a plurality of threat signatures froma plurality of threat signature data sources; analyzing, by the computersystem, bit stream data based on the plurality of threat signatures todetect a first threat in the bit stream data; logging, by the computersystem, a result of analyzing the bit stream data as threat analysis logdata; analyzing, by the computer system, the threat analysis log data todetect a second threat in the bit stream data; and triggering, by thecomputer system, an action based on the analyzing the bit stream data orbased on the analyzing the threat analysis log data.
 2. The computerimplemented method of claim 1, further comprising receiving the bitstream data over a network connection from a network device.
 3. Thecomputer implemented method of claim 1, wherein the analyzing bit streamdata and the analyzing the threat analysis log data are performed inparallel or in sequence and are included in a chain of independent orcooperative analyses associated with security.
 4. The computerimplemented method of claim 1, wherein the analyzing the threat analysislog data is based on at least one heuristic.
 5. The computer implementedmethod of claim 1, wherein the first threat and the second threat aresimilar.
 6. The computer implemented method of claim 1, furthercomprising outputting the bit stream data in response to the firstthreat and the second threat not being detected in the bit stream data.7. The computer implemented method of claim 1, wherein the actioncomprises configuring a network device to address the first threat inresponse to the first threat being detected in the bit stream data, orconfiguring the network device to address the second threat in responseto the second threat being detected in the bit stream data.
 8. Thecomputer implemented method of claim 7, wherein the network device isconfigured by configuring a network traffic aggregation system, thenetwork traffic aggregation system configuring the network device. 9.The computer implemented method of claim 7, wherein the network deviceis an edge network device.
 10. The computer implemented method of claim7, wherein the network device is an internal network device.
 11. Thecomputer implemented method of claim 1, wherein the analyzing the bitstream data based on the plurality of threat signatures comprisesperforming deep packet inspection based on the plurality of threatsignatures.
 12. The computer implemented method of claim 1, wherein theanalyzing the bit stream data is performed by bit stream vectorprocessing, or the analyzing the threat analysis log data is performedby bit stream vector processing.
 13. The computer implemented method ofclaim 1, wherein the action comprises at least one of dropping a packetin the bit stream data, routing the packet to a filter for deeper packetinspection, tagging the packet with a meta risk indicator or a meta riskscore, rerouting the packet to its destination, or rerouting the packetto a sandbox for quarantine.
 14. The computer implemented method ofclaim 1, wherein the triggering the action is performed by bit streamvector processing by a combination of parallel and sequential set ofworkers that are dynamically assigned.
 15. The computer implementedmethod of claim 1, wherein at least one threat signature data source inthe plurality of threat signature data sources is commercial,proprietary, or open source.
 16. The computer implemented method ofclaim 1, wherein the plurality of threat signature data sources includesindependent organizations.
 17. The computer implemented method of claim1, wherein the threat analysis log data includes log data produced by anexternal deep packet inspection system.
 18. The computer implementedmethod of claim 17, wherein the external deep packet inspection systemperforms deep packet inspection on the bit stream data before theanalyzing the bit stream data based on the plurality of threatsignatures, or before the analyzing the threat analysis log data.
 19. Asystem comprising: at least one processor; and a memory storinginstructions configured to instruct the at least one processor toperform: aggregating a plurality of threat signatures from a pluralityof threat signature data sources; analyzing bit stream data, based onthe plurality of threat signatures, to detect a first threat in the bitstream data; logging a result of analyzing the bit stream data as threatanalysis log data; analyzing the threat analysis log data to detect asecond threat in the bit stream data; and triggering an action based onthe analyzing the bit stream data or based on the analyzing the threatthe analysis log data.
 20. A non-transitory computer storage mediumstoring computer-executable instructions that, when executed, cause acomputer system to perform a computer-implemented method comprising:aggregating a plurality of threat signatures from a plurality of threatsignature data sources; analyzing bit stream data, based on theplurality of threat signatures, to detect a first threat in the bitstream data; logging a result of analyzing the bit stream data as threatanalysis log data; analyzing the threat analysis log data to detect asecond threat in the bit stream data; and triggering an action based onthe analyzing the bit stream data or based on the analyzing the threatthe analysis log data.